The present invention relates to network intrusion detectors used to protect computer networks from attack and in particular to a network intrusion detector that provides improved detection of malware disguised through the use of alternate data encodings.
Network intrusion detection systems (NIDS) are systems that attempt to detect malware attacks on computer networks by monitoring network traffic. Malware can be computer viruses, Trojan horses, spyware, adware, denial of service attacks, and other software intended to infiltrate or damage a computer system. An example public domain NIDS system is Snort, a GPL-licensed open source network intrusion detection system written by Martin Roesch and available from Sourcefire of Columbia, Md., US.
A common NIDS uses a database of malware “signatures” identifying known malware. A malware attack is detected by matching the signatures to incoming or outgoing network traffic on a real-time basis. First, the NIDS parses the network traffic according to a protocol specification of the network data, for example, identifying an HTTP method or a URL. Next, the NIDS matches the parsed traffic to signatures within a signature database, each signature which may be keyed to a particular protocol element, for example, providing a signature that relates only to a URL. If a match occurs, in a passive system, the NIDS logs the attack information and provides an alarm to the user. In an intrusion prevention NIDS system, the NIDS also attempts to “log off” the attacker or otherwise block access to the network.
Attackers may attempt to elude detection by a signature-based NIDS by altering the encoding of the malware data so that it no longer matches existing signatures yet is functionally unchanged. This may be done by changing the encoding of the malware in relatively minor ways, for example, by switching upper case characters to lower case, and vice versa or by expressing characters as hexadecimal ASCII values, or by using other encodings recognized by the network computers as equivalent. The alternate encodings avoid a strict match with existing signatures without functionally altering the malware.
NIDS designers have responded to this problem of alternative encodings by employing a “normalization” step in which network traffic is normalized by changing all alternate encodings of each character of the network traffic into an equivalent character in a common encoding set. For example, the normalizing step may convert all network data into lower case characters. Signatures expressed in the common encoding set (e.g., lower case characters) are then applied to the normalized network data.
Protocol analysis and normalization can significantly decrease the throughput of the NIDS. Further, it is difficult to create an a priori normalization system that is efficient and correct.